Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 3 months
Using NSS
by Braden McDaniel
I am trying to get OpenLDAP (2.4.24) working with NSS on Fedora 15. In
cn=config.ldif I have:
olcTLSCACertificatePath: /etc/pki/nssdb
olcTLSCertificateFile: endoframe
I have used certutil to create a self-signed certificate:
# certutil -d /etc/pki/nssdb -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
endoframe Cu,Cu,Cu
But this doesn't appear to be working:
$ ldapsearch -H ldaps://rail -b dc=endoframe,dc=net -x -d1
ldap_url_parse_ext(ldaps://rail)
ldap_create
ldap_url_parse_ext(ldaps://rail:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP rail:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_close_socket: 3
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_close_socket: 3
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
slapd is running:
# systemctl status slapd.service
slapd.service - LSB: starts and stopd OpenLDAP server daemon
Loaded: loaded (/etc/rc.d/init.d/slapd)
Active: active (running) since Wed, 05 Oct 2011 02:24:11 -0400; 3 weeks and 0 days ago
Main PID: 1429 (slapd)
CGroup: name=systemd:/system/slapd.service
└ 1429 /usr/sbin/slapd -h ldap:/// -u ldap
Any ideas of what I might be doing wrong, or where I should be looking
to debug this?
--
Braden McDaniel <braden(a)endoframe.com>
11 years, 7 months
Ldap is up, trying to get tls working.
by John Tobin
Folks,
I have openldap up, it supports vsftpd, sshd, and 5 client linux machines
for remote login.
I would like to get tls working. I would support either ldaps [port 636], or
the tls available on port 389, I am aware of the differences in
implementation, and the fact that an administrator effectively has to make a
decision to support one or the other in most cases.
Currently:
I have slapd running configured for tls under ldap [std port 389].
I am testing it on the slapd machine, with a client on the same machine.
I am pointing to the same cacertificate in slapd.d [cn=config.ldif] and
ldap.conf.
With that in place, and the ldap.conf below:
nightmare:/etc # cat ldap.conf
base dc=dark,dc=net
uri ldap://nightmare.dark.net
# scope sub
# binddn "cn=admin,dc=dark,dc=net"
# bindpw jackie
bind_policy soft
# The user ID attribute (defaults to uid)
pam_login_attribute uid
pam_lookup_policy yes
pam_password exop
nss_schema rfc2307bis
tls_reqcert never
pam_filter objectClass=posixAccount
ldap_version 3
nss_map_attribute uniqueMember uniqueMember
ssl start_tls
tls_cacert /var/lib/ldap/cacert.pem
tls_cert /var/lib/server.crt
tls_key /var/lib/ldap/server.key
I have run ldapsearch:
nightmare:/media # ldapsearch -v -x -H ldap://nightmare.dark.net:389/ -b
"dc=dark,dc=net" -Z
ldap_initialize( ldap://nightmare.dark.net:389/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=dark,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# dark.net
dn: dc=dark,dc=net
dc: dark
o: dark
objectClass: organization
objectClass: dcObject
# admin, dark.net
dn: cn=admin,dc=dark,dc=net
objectClass: organizationalRole
cn: admin
# Default Policy, dark.net
dn: cn=Default Policy,dc=dark,dc=net
objectClass: namedObject
objectClass: pwdPolicy
cn: Default Policy
# People, dark.net
dn: ou=People,dc=dark,dc=net
objectClass: organizationalUnit
ou: People
description: People is used in mapping the /etc/passwd entries
# jtobin, People, dark.net
dn: uid=jtobin,ou=People,dc=dark,dc=net
uid: jtobin
cn: John C. Tobin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
loginShell: /bin/ksh
uidNumber: 5000
gidNumber: 100
homeDirectory: /home/jtobin
gecos: John C. Tobin
# defaultDNS, dark.net
dn: cn=defaultDNS,dc=dark,dc=net
cn: defaultDNS
objectClass: top
objectClass: suseDnsConfiguration
suseDefaultBase: ou=DNS,dc=dark,dc=net
# DNS, dark.net
dn: ou=DNS,dc=dark,dc=net
objectClass: top
objectClass: organizationalUnit
ou: DNS
# search result
search: 3
result: 0 Success
# numResponses: 8
# numEntries: 7
nightmare:~ #
#####
So I am assuming the ldapserver on ldap://nightmare.dark.net:389/ with tls
works.
[I looked through the message output in /var/log/message and see the
³STARTTLS² and ³TLS established tls_ssf=256²]
I have done a number of similar ldapsearches. This appears to work
correctly.
On the client machine I now do :
nightmare:/media # su - jtobin
su: user jtobin does not exist
nightmare:/media #
/var/log/message - output......
nightmare:/var/log # tail f |grep I tls
Oct 28 11:29:01 nightmare slapd[11118]: conn=1217 op=0 STARTTLS
Oct 28 11:29:01 nightmare worker_nscd: nss-ldap: do_open: do_start_tls
failed:stat=-1
Oct 28 11:29:01 nightmare slapd[11118]: connection_read(14): TLS accept
failure error=-1 id=1217, closing
Oct 28 11:29:01 nightmare slapd[11118]: conn=1217 fd=14 closed (TLS
negotiation failure)
Oct 28 11:29:01 nightmare slapd[11118]: conn=1218 op=0 STARTTLS
Oct 28 11:29:01 nightmare worker_nscd: nss-ldap: do_open: do_start_tls
failed:stat=-1
Oct 28 11:29:01 nightmare slapd[11118]: connection_read(14): TLS accept
failure error=-1 id=1218, closing
Oct 28 11:29:01 nightmare slapd[11118]: conn=1218 fd=14 closed (TLS
negotiation failure)
[if you want more of the log, I can obviously get it, but these appear to be
the important parts.]
This is probably a configuration error, or a logical / architecture
misunderstanding, ok, I m a newbie.
Do I have certificates incorrectly generated? [certificates were generated
via http://www.openldap.org/faq/data/cache/185.html].
What did I do wrong?
This is running openldap 2.4.26 off of Suse 12.1 milestone 5.
Thanks in advance.
tob
11 years, 9 months
Syncrepl SSL fail
by Hugo Deprez
Dear community,
I setup a syncrepl between my master openldap server and a consumer.
I am trying to use SSL for this syncrepl
I got the following error in the log when I start slapd on the consumer :
Oct 13 17:04:59 server slapd[16905]: slapd starting
Oct 13 17:04:59 server slapd[16905]: slap_client_connect:
URI=ldaps://ldap.mydomain.fr:1024/
DN="cn=syncrepluser,o=others,dc=mydomain,dc=fr" ldap_sasl_bind_s
failed (-1)
Oct 13 17:04:59 server slapd[16905]: do_syncrepl: rid=003 rc -1
retrying (9 retries left)
I don't understand why it is failing as a single ldapsearch from the
same server with the syncrepl user is working.
here is my syncrepl configuration :
Syncrepl rid=003
provider=ldaps://ldap.mydomain.fr:1024/
type=refreshOnly
retry="60 10 600 +"
interval=00:00:00:10
searchbase="dc=mydomain,dc=fr"
scope=sub
schemachecking=on
bindmethod=simple
binddn="cn=syncrepluser,o=others,dc=mydomain,dc=fr"
credentials=my_password
Any idea ?
Regards,
Hugo
11 years, 9 months
Searches causing disk writes
by Adam Wale
Hi,
I'm observing an issue where a large number of searches against an openldap server results in a large amount of disk writes occurring.
I have 10 hosts performing the same workload, the hosts are running slapd 2.4.21 under Ubuntu Lucid. If I stop searching against one of the hosts I see disk write activity from that host drop dramatically. I initially noticed the high write activity in the VMware stats for the hosts and have used iostat on the hosts to gather further info. The hosts being searched are slaves in a slurpd replication environment; they do not have replication logging enabled, the directory is using a hdb backend.
Over a 5 minute period the average disk write activity is 8517KB/s when being searched, and 41KB/s when not being searched; over the same time period the average disk read activity is 8KB/s.
When performing searches against a host an average workload is 300 searches/second, average entry size is 450bytes, and average entries returned is 30.
The hosts have plenty of free RAM and are not using any swap. I have disabled the monitor backend but haven't seen much of an improvement by doing this, given the monitor database is instantiated at startup is this stored in memory? (if not, why not make that an option?)
Does anyone have any ideas as to why reading from the directory would be causing disk writes at such a high rate?
Thanks,
Adam
11 years, 10 months
LD_LIBRARY_PATH exported but libdb-4.6.so not found
by Pablo Chamorro C.
I updated from 2.4.21 to 2.4.23 in some old Fedoras and also in a CentOS
5.4.
Before compiling, I run:
export LD_LIBRARY_PATH=/usr/local/BerkeleyDB.4.6/lib
export CPPFLAGS="-I/usr/local//BerkeleyDB.4.6/include"
export LDFLAGS="-L/usr/local/BerkeleyDB.4.6/lib"
and it compiles ok. But after installed, in 3 out 4 of the used servers, slapd
doesn't start unless I execute first:
export LD_LIBRARY_PATH=/usr/local/BerkeleyDB.4.6/lib
Attached, the output of ldd /usr/local/libexec/slapd, before and after running
export LD_LIBRARY_PATH=/usr/local/BerkeleyDB.4.6/lib. In short:
without LD_LIBRARY_PATH defined:
libdb-4.6.so => not found
with LD_LIBRARY_PATH as above:
libdb-4.6.so => /usr/local/BerkeleyDB.4.6/lib/libdb-4.6.so (0x00002b4eb2c16000)
Could you please explain me why this might be happening? Is this a bug? This
issue ocurred to me in at least 3 server, but I have another CentOS 5.4, where
the compilation and the install process run just fine, and I didn't need that
workaround.
Thank you,
Pablo Chamorro
La informaci�n contenida en este mensaje y cualquiera de sus adjuntos es confidencial, para el uso exclusivo de la persona o entidad destinataria. Si usted ha recibido este mensaje por equivocaci�n, se le notifica que no est� autorizado para revisarlo, reenviarlo, imprimirlo, copiarlo o distribuirlo de forma parcial o total; por favor comunique el error a la persona que lo env�a y elim�nelo. Las opiniones y puntos de vista presentados en este mensaje son responsabilidad de quien firma el mensaje y no representan necesariamente la posici�n y puntos de vista de INGEOMINAS. Este mensaje de correo electr�nico ha sido analizado por el antivirus Mcafee.
Confidentiality Notice The information in this message and any attachments is confidential, it is for exclusive use of the person or entity to which it is addressed. If you have received this message in error, you are notified that you are not authorized to review, re-transmit, print out, disseminate, copy or distribute it in partial or total way; please communicate the mistake to the person who sent this message and delete it. The opinions and points of view stated in this message with responsibility by who signed the message, do not necessarily represent the opinion or point of view of INGEOMINAS. This electronic mail message was scanned by the Mcafee anti-virus.
11 years, 10 months
Password policy complexity
by Hugo Deprez
Dear community,
I would like to specify the complexity of the password for users.
For exemple a password must contain :
one specific character such as : !£"$%^&*()-_+=:;'@~#?<>
one capital letter
etc...
The password policy overlay only authorize to specify the number of character.
Is that possible ?
Regards,
Hugo
11 years, 10 months
Pb with sasl2 digest - md5 and openldap
by bea chataigne
On a redhat 6, openldap 2.4 and cyrus-sasl 2.1.23.
I create a sasldb syncuser user, in my slapd.d configuration I add:
OlcAuthzRegexp: {0} " uid=syncuser, cn=DIGEST-MD5, cn=auth " " cn=syncuser,
dc=xxx, dc=fr "
I give the right of reading has the utisilsateur ldap on sasldb.
PB during a ldapsearch:
# ldapsearch -Y DIGEST-MD5-U syncuser
ldap_sasl_interactive_bind_s: Invalid credentials ( 49 ) additional
information: SASL ( 13 ): use(wear out) not found: no secret in database
Slapd in debug mode(fashion) sends back(dismisses) to me:
slapd[2608]: do_bind: dn () SASL mech DIGEST-MD5
slapd[2608]:slapd[2608]: ==> sasl_bind: dn="" mech=<continuing>
datalen=277
slapd[2608]: SASL [conn=1002] Debug: DIGEST-MD5 server step 2
slapd[2608]: SASL Canonicalize [conn=1002]: authcid="syncuser"
slapd[2608]: slap_sasl_getdn: conn 1002 id=syncuser [len=8]
slapd[2608]: slap_sasl_getdn: u:id converted to
uid=syncuser,cn=DIGEST-MD5,cn=auth
slapd[2608]: >>> dnNormalize: <uid=syncuser,cn=DIGEST-MD5,cn=auth>
slapd[2608]: <<< dnNormalize: <uid=syncuser,cn=digest-md5,cn=auth>
slapd[2608]: ==>slap_sasl2dn: converting SASL name
uid=syncuser,cn=digest-md5,cn=auth to a DN
slapd[2608]: [rw] authid: "uid=syncuser,cn=digest-md5,cn=auth" ->
"cn=syncuser,dc=xxx,dc=fr"
slapd[2608]: slap_parseURI: parsing cn=syncuser,dc=xxx,dc=fr
slapd[2608]: >>> dnNormalize: <cn=syncuser,dc=xxx,dc=fr>
slapd[2608]: <<< dnNormalize: <cn=syncuser,dc=xxx,dc=fr>
slapd[2608]: <==slap_sasl2dn: Converted SASL name to
cn=syncuser,dc=xxx,dc=fr
slapd[2608]: slap_sasl_getdn: dn:id converted to cn=syncuser,dc=xxx,dc=fr
slapd[2608]: SASL Canonicalize [conn=1002]:
slapAuthcDN="cn=syncuser,dc=xxx,dc=fr"
slapd[2608]: => hdb_search
slapd[2608]: daemon: activity on 1 descriptor
slapd[2608]: daemon: activity on:
slapd[2608]:
slapd[2608]: daemon: epoll: listen=7 active_threads=1 tvp=zero
slapd[2608]: daemon: epoll: listen=8 active_threads=1 tvp=zero
slapd[2608]: daemon: epoll: listen=9 active_threads=1 tvp=zero
slapd[2608]: daemon: epoll: listen=10 active_threads=1 tvp=zero
slapd[2608]: bdb_dn2entry("cn=syncuser,dc=xxx,dc=fr")
slapd[2608]: => hdb_dn2id("cn=syncuser,dc=xxx,dc=fr")
slapd[2608]: <= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data
pair found (-30988)
slapd[2608]: => access_allowed: disclose access to "dc=xxx,dc=fr" "entry"
requested
slapd[2608]: => dnpat: [5] uid=([^,].*),ou=People,dc=xxx,dc=fr nsub: 1
slapd[2608]: => dnpat: [6] uid=([^,].*),ou=People,dc=xxx,dc=fr nsub: 1
slapd[2608]: => dn: [7] ou=people,dc=xxx,dc=fr
slapd[2608]: => dn: [8] ou=admin,dc=xxx,dc=fr
slapd[2608]: => dn: [9] ou=services,dc=xxx,dc=fr
slapd[2608]: => dnpat: [10] ou=groups,ou=(.*),ou=web,dc=xxx,dc=fr nsub: 1
slapd[2608]: => dnpat: [11] ou=(.*),ou=web,dc=xxx,dc=fr nsub: 1
slapd[2608]: => acl_get: [12] attr entry
slapd[2608]: => acl_mask: access to entry "dc=xxx,dc=fr", attr "entry"
requested
slapd[2608]: => acl_mask: to all values by "", (=0)
slapd[2608]: <= check a_dn_pat: *
slapd[2608]: <= acl_mask: [2] applying read(=rscxd) (stop)
slapd[2608]: <= acl_mask: [2] mask: read(=rscxd)
slapd[2608]: => slap_access_allowed: disclose access granted by
read(=rscxd)
slapd[2608]: => access_allowed: disclose access granted by read(=rscxd)
slapd[2608]: send_ldap_result: conn=1002 op=1 p=3
slapd[2608]: send_ldap_result: err=10 matched="dc=xxx,dc=fr" text=""
slapd[2608]: SASL Canonicalize [conn=1002]: authzid="syncuser"
slapd[2608]: SASL [conn=1002] Failure: no secret in database
slapd[2608]: send_ldap_result: conn=1002 op=1 p=3
slapd[2608]: send_ldap_result: err=49 matched="" text="SASL(-13): user not
found: no secret in database"
slapd[2608]: send_ldap_response: msgid=2 tag=97 err=49
slapd[2608]: conn=1002 op=1 RESULT tag=97 err=49 text=SASL(-13): user not
found: no secret in database
slapd[2608]: <== slap_sasl_bind: rc=49
slapd[2608]: daemon: activity on 1 descriptor
slapd[2608]: daemon: activity on:
slapd[2608]: 31r
Thank you for your suggestions.
B Chataigne
11 years, 11 months
directory performance on modifytimestamp and createtimestamp
by Flack, Simon
All,
Has anyone tried creating an index in openldap to speed-up inequality
searches ( eg of the form modifyTimestamp>=20111025162408Z ) on the
modifytimestamp or createtimestamp attributes ?
If so, what type of index did you create , did openldap perform reads
faster than with no index and did the presence of the index slow down
writes to openldap appreciably ?
Many Thanks,
Simon Flack.
This e-mail has been scanned for viruses by the Cable&Wireless Worldwide e-mail security system. For more information on a proactive
managed e-mail secure service, visit http://www.cw.com/managed-exchange
The information contained in this e-mail is confidential and may also be subject to legal privilege. It is intended only for the recipient(s) named above.
If you are not named above as a recipient, you must not read, copy, disclose, forward or otherwise use the information contained in this email. If you
have received this e-mail in error, please notify the sender (whose contact details are above) immediately by reply e-mail and delete the message and any
attachments without retaining any copies.
Cable & Wireless Worldwide plc
Registered in England and Wales. Company Number 07029206
Registered office: Liberty House, 76 Hammersmith Road, London W14 8UD, England
11 years, 11 months
[Autofs for Linux and OSX] back-relay ? aliases ?
by Frava
Hello,
I'm configuring Autofs maps via OpenLDAP for some OS X (10.5/6/7) and Linux
CentOS (5/6) boxes, and I'm running into a little problem.
OS X needs to have an "automountMapName=auto_master" and
"automountMapName=auto_home" located in
"cn=automountMap,dc=subnet,dc=example,dc=com"
Linux needs to have an "automountMapName=auto.master" and
"automountMapName=auto.home" located wherever I want in
"dc=subnet,dc=example,dc=com"
The entries contained in "automountMapName=auto_home" and
"automountMapName=auto.home" will be exactly the same ones; SO
what is the best way to implement it without duplicate them ? Using aliases
or rwm+relay ?
Cheers,
Rafael.
11 years, 11 months